Desenmascara.me

martes, 23 de junio de 2015

UPDATE23.06.2015: This campaign dated on 22.06.2015 is targeting an additional brand: RayBan, see below the recent created fake domains.

UPDATE2 24.6.2015: Instead of spending money to register fake domains they are now using subdomains of the compromised websitesUPDATE3 26.6.2015: Hundreds of compromised websites popping up on Google searchs and spam phase in Twitter through either fake or compromise accounts.
All the data collected by desenmascara.me is taken directly from the users asking for websites information. But regarding the new anti-counterfait features, I am playing with new methods to collect fresh information.

One of this new methods I am playing with is through twitter. I have some scripts collecting information with certain keywords and regularly that information is processed to extract the relevant URLs and then look by common fake patterns among them. By doing that I came across a massive campaign targeting Michael Kors and Oakley brands. The campaign seems is still in a recent stage as the content was not ready yet but the recently created fake Michael Kors domain (02.06.2015):

hxxp://www.hotmichaelkors.com/

was already being served through the below HTTP request (which is collecting all the details about the User Agent, Operative System and screen size)

All the above compromised websites are based on Wordpress CMS but there are different versions either updates and quite old ones and different hostings so it is not clear how they become infected but most likely through some vulnerable wordpress plugin.

Screenshot of one of the compromised sites with the spam

Screenshot of another of the compromised sites with the spam

Screenshot of another of the compromised sites with the spam

Some of the fake domains which are being prepared for the campaign either through black hat seo tactics or as a chain redirects are:

ucilna.si is a compromised website which their web owners do not worry to much about their maintenance:

then the bad guys have at their disposal the infrastructure and then instead of investing money purchasing fake domains like pointed out above for the 3 brands, now they can leverage on poor maintained websites like this to create subodomains to host their fake sites.

Examples of another sites using the same tactic for another brands:

Website compromised with a Hermes fake shop within a subdomain

Same website compromised with a Reebok fake shop within a subdomain

Another website compromised with a Reebok fake shop within a subdomain

UPDATE 3: Google results and twitter spam of this massive campaign.

In any of the compromised websites we can see a bunch more of links to another compromised websites like in this picture above:

In Google we can see this campaign does show 615 results:

In twitter this campaign is leveraging hundreds of compromised accounts:

Bottom line: Despite warning to the affected brands about this ongoing campaign which started on 22 of June, no feedback has been received and all the fake domains including the ready to shop:

hxxp://www.hotmichaelkors.com/hxxp://sunglasssell.com/

are still actives at the time I am writing this (26.06.2015) update. For the rest of the fake domains which are still on preparation mode we can expect they become online during the next days.

All the fake domains detected in this campaign are already spoted by desenmascara.me